Improve Network Segmentation with Aruba Instant Zones

By Scott Lester, Blog Contributor
Share Post

Multiplying the Power of Your Security Team with Entity360

For several years now, some customers have been looking for ways to utilize enterprise-level WLAN hardware in their organizations without the recurring costs of maintenance and/or licensing fees. Within the Aruba product line, the Aruba Instant software was developed to meet those needs by providing enterprise-grade hardware with solid performance for WLANs of any size. As the Instant software was only a subset of enterprise-level features within the controller-based product, this created a gap in the level of control network administrators have over the network. One of those features was the ability to selectively broadcast SSIDs throughout the environment.

In The Zone

Enter the "zones" feature within the Aruba Instant software. Using zones to allow selective SSID broadcast within the Aruba Instant cluster is something has been around for some time. The idea behind the feature was to allow administrators the ability to grant an AP (or set of APs) the ability to be broadcast an SSID containing the matching zone attribute within its configuration. This is very helpful in providing users the ability to decide where a particular SSID should be broadcast, while preventing it from being used in other non-desirable areas. Yet the feature had a major drawback: An AP can only be a member of one zone at a time.

The limitation of a singular zone attribute is that it has greatly diminished the amount of control over the network, especially in larger Instant deployments where there is the need to have several permutations of SSID combinations in many different physical locations. The good news is that in the Aruba Instant code, released June 2018, the single zone membership limitation has been eliminated. Users now have the ability to have up to 6 SSID zones per AP and a total of 32 SSID zones per SSID profile.

What does setting up the zones feature look like now? Honestly, it’s not that different from prior versions. Instead of reinventing the wheel, so to speak, the administrator simply adds a comma between the zone listings.

Setting Up Zones

Let’s take a closer look at what setting up zones is like, and how this can help provide SSID segmentation in a network.

Aruba Instant GUI - AP Config

Setting up zones within the Instant GUI is extremely simple. Within the configuration for each SSID, you will find a zone field where you will enter the name for the zone you would like to use. This can be any combination of alphanumeric values such as a building name like “Smith Hall” or an ID like “Bldg200”. One tip is to avoid the use of spaces when creating these attributes as we all know how spaces cause issues in configurations! Once the SSID has been configured, to select which APs broadcast that SSID, you must enter the matching attribute into the AP’s zone field. If you don’t put a zone attribute in the SSID configuration, then that SSID will broadcast on all members of that cluster. As mentioned earlier, to broadcast an SSID in more than one zone, simply add the matching zone attribute into the field separated by a comma.

Use Cases

I’m sure that your head is already spinning with ways to utilize this feature within your network. However, if it’s not, here are a couple of use cases for zones that come to mind.

Aruba Instant GUI - SSID Config

A good example of the use of SSID segmentation is a hotel. Hotels are easy to describe because of their requirement for having different networks broadcast in different places. For example, in the conference room, a conference SSID might be needed, but conference SSID would provide very little value to users in the guest rooms. Sure, one could try to justify this, but just go with me on this one. In other areas such as the check-in lobby or restaurant, a back-of-house network might be needed for point-of-sale systems are other hotel administrative needs.

While this is not a formal type of network security, in some ways it could be considered as such since it restricts an SSID to only the areas where it is needed. It inhibits the ability of guests to attempt to connect to that network and potentially gain access to private information from the comfort of their guest room as a loose example.

Another example for the need of multiple zones within an Instant deployment is an education facility. Typically, all areas will need guest access but there may be certain areas interspersed throughout that need an IoT network for wireless clocks, alarms, etc. There also might be a need for a conference or other event network to be broadcast with access to a secured VLAN that should not be broadcast everywhere. Since users now have the ability to use multiple zones, a new zone could be created for that need and temporarily applied to certain areas/APs without having to affect existing SSIDs.

Now that I’ve armed you with the knowledge of what the Aruba Instant zones feature does and how to configure it, I encourage you to take a look at your network and see how you can provide a bit of added security via SSID segmentation. You might have a problem area that this information can resolve and not even know it!

Follow Scott Lester on Twitter @theITrebel.